Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Don't write out secure cookies unless the request is secure

  • Loading branch information...
commit 25139ac92cea5b17791d71359bc3ae2a5d526652 1 parent 0e52a60
@pixeltrix pixeltrix authored
View
10 actionpack/lib/action_controller/cookies.rb
@@ -60,7 +60,7 @@ class CookieJar < Hash #:nodoc:
attr_reader :controller
def initialize(controller)
- @controller, @cookies = controller, controller.request.cookies
+ @controller, @cookies, @secure = controller, controller.request.cookies, controller.request.ssl?
super()
update(@cookies)
end
@@ -81,7 +81,7 @@ def []=(key, options)
options[:path] = "/" unless options.has_key?(:path)
super(key.to_s, options[:value])
- @controller.response.set_cookie(key, options)
+ @controller.response.set_cookie(key, options) if write_cookie?(options)
end
# Removes the cookie on the client machine by setting the value to an empty string
@@ -126,6 +126,12 @@ def permanent
def signed
@signed ||= SignedCookieJar.new(self)
end
+
+ private
+
+ def write_cookie?(cookie)
+ @secure || !cookie[:secure] || defined?(Rails.env) && Rails.env.development?
+ end
end
class PermanentCookieJar < CookieJar #:nodoc:
View
28 actionpack/test/controller/cookie_test.rb
@@ -100,11 +100,26 @@ def test_setting_cookie_with_http_only
end
def test_setting_cookie_with_secure
+ @request.env["HTTPS"] = "on"
get :authenticate_with_secure
assert_equal ["user_name=david; path=/; secure"], @response.headers["Set-Cookie"]
assert_equal({"user_name" => "david"}, @response.cookies)
end
+ def test_setting_cookie_with_secure_in_development
+ with_environment(:development) do
+ get :authenticate_with_secure
+ assert_equal ["user_name=david; path=/; secure"], @response.headers["Set-Cookie"]
+ assert_equal({"user_name" => "david"}, @response.cookies)
+ end
+ end
+
+ def test_not_setting_cookie_with_secure
+ get :authenticate_with_secure
+ assert_not_equal ["user_name=david; path=/; secure"], @response.headers["Set-Cookie"]
+ assert_not_equal({"user_name" => "david"}, @response.cookies)
+ end
+
def test_multiple_cookies
get :set_multiple_cookies
assert_equal 2, @response.cookies.size
@@ -177,4 +192,17 @@ def test_permanent_signed_cookie
assert_match %r(#{20.years.from_now.year}), @response.headers["Set-Cookie"].first
assert_equal 100, @controller.send(:cookies).signed[:remember_me]
end
+
+ private
+ def with_environment(enviroment)
+ old_rails = Object.const_get(:Rails) rescue nil
+ mod = Object.const_set(:Rails, Module.new)
+ (class << mod; self; end).instance_eval do
+ define_method(:env) { @_env ||= ActiveSupport::StringInquirer.new(enviroment.to_s) }
+ end
+ yield
+ ensure
+ Object.module_eval { remove_const(:Rails) } if defined?(Rails)
+ Object.const_set(:Rails, old_rails) if old_rails
+ end
end
Please sign in to comment.
Something went wrong with that request. Please try again.